Modern enterprise applications employ a multitude of Information Technology (IT) systems, including network operating systems, a range of servers, user directories, human resources, payroll and management systems, line-of-business applications, customer relationship management systems, and electronic commerce applications. In addition, a variety of users access these systems, such as administrators, employees, contractors, partners, vendors, and customers. Almost every system must track valid users and control their access privileges to various parts of the enterprise application. For example, an administrator may have access to all levels of the enterprise system, including databases containing sensitive information about other users, but a customer may only have permission to access a few systems, such as customer relationship management and e-Commerce.
Because enterprise applications have become increasingly distributed and complex, organizations often use identity management systems to facilitate services such as user authentication, access rights, access restrictions, account profiles, and passwords. Identity management systems consolidate and streamline the management of user identity information across the life cycle of an identity profile, which includes initial setup, change and maintenance, and tear down. Initial setup occurs when a new user joins an organization and requires timely and accurate entry of data across multiple systems. Change and maintenance are performed during the lifetime of the identity profile and may involve routine password changes, name and profile changes, adding and removing individual login accounts, and changing privileges on existing accounts. Tear down is performed when a user leaves the organization and typically involves flagging the identity profile and disabling the identity profile's access to systems.
Challenges in identity management include consistency, efficiency, usability, and reliability. To achieve consistency, an identity management system must synchronize identity data reliably amongst multiple systems. Efficiency is hindered because access to multiple systems by a single profile must be enabled with the tools provided at each system instead of a single interface. Usability is diminished when access to multiple systems requires multiple login IDs, multiple passwords, and multiple sign-on screens. Reliability refers to the complete, timely, and accurate production of identity data on every system and is especially important when the identity data is used to control access to sensitive information or resources.
Several technologies currently exist for identity management in enterprise applications. Directories, which may be stored on one or more directory servers and accessed by protocols such as Lightweight Directory Access Protocol (LDAP) and X.500, consolidate the management of data about users as well as other objects in the enterprise application, including user groups, servers, printers, etc. Web access management (WAM) tools allow users to be authenticated once and maintain the authentication state as the users navigate between applications. WAM systems may also define user groups and assign access privileges to users on the managed systems. Legacy single sign-on, or SSO, systems give users a client-side master system to sign onto while storing users' logins and passwords to every supported application. When a user launches an application through the SSO software, the SSO software opens the appropriate program and sends the appropriate login and password to that program for the user. SSO access requests are authenticated by an SSOToken validation process. If a user cannot provide a valid SSOToken, the access request is denied and the user is prompted for login credentials before opening any SSO applications.